Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Exhausted - Fake antivirus2012 - 26dec11 - new to this forum


  • This topic is locked This topic is locked
102 replies to this topic

#1 blowefamily

blowefamily

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 26 December 2011 - 06:48 PM

trying to get back online - MBAM won't run - browser no go to inet-

Yesterday my daughter downloaded some music that was supposed to be an mp3 file but it turns out to have been an exe plus load of other stuff that it seems I have removed and have used rkill and dr web ( it noticed the web connection was not working - and tried to fix ) and all sorts of ad ware and fake alert was id'd and i think Dr web removed ....but still off inet and can' runn mbam.
Ran antispyware giant and it too found a bunch of stuff ...but any time I try to go to th einet the broweser can't except opera next but on second try it too is blocked .
Mbam looks like it is installing ( and I had it on pc previourly anyway ) but when it or I try to run mabam it never starts ( just momentary hourglass ) .
Went to safe mode and disconnected inet ethernet too and still in trouble .
I am running from a linuc pc i just set upp and so that is how I have been downloading to a usb drive th ewindows uts that seem to be recommended and getting close to just running another disk but unfirtunely may have particvally srewed upp by removing and an odd program called ping.exe ai never saw and the pop ups for the fake 2012 no longer show up but I still can't get in the inet nor run mbam .
Good news is I can reboot now instead of having to turn off then on as for a while there could onoly shut down .
Runninfg win xppro 32bit sp3 dual core INTEL6300 1.86gh with 8gig , geforce 8800GTS gamer pc ( my sons old one ).
I cannot turn on my firewall either windows or nvidia .
My hijack this 2.04 says -
I cannot go online with microsoft essentials but can scan with it scan and CCi 3.4.16.16 I downloaded seveveral days ago and have also run spybot serarch and detroy 1.6.2.46 , I used tds killer too .
I went to the hosts file and see just plain jane and tried using MVPShostand no different , no connection to inet .
FixNCR was run too .

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:16:09 PM, on 12/26/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe
f:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
F:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
F:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\Program Files\Dyyno\Dyyno Broadcaster\launcherd.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\CDBurnerXP\NMSAccessU.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Google\Update\GoogleUpdate.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Razer\Lachesis\razerhid.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\Ask.com\Updater\Updater.exe
F:\Program Files\Common Files\Java\Java Update\jusched.exe
F:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
F:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
F:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
F:\Program Files\Microsoft Security Client\msseces.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Documents and Settings\dab\Desktop\HijackThis.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Brother\ControlCenter3\brccMCtl.exe
F:\Program Files\U-ABIT\abitEQ\abiteq.exe
F:\Program Files\Messenger\msmsgs.exe
F:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
F:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
F:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
F:\Program Files\Razer\Lachesis\razerofa.exe
F:\WINDOWS\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: YTNavAssist.YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\YTNavAssist.dll
O1 - Hosts: ::1 localhost #[IPv6]
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - (no file)
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - F:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - F:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: BrowserHelper Class - {EDF48A39-1442-463F-9F4E-F376A78D034A} - F:\Program Files\Livedrive\LivedriveExplorerExtensions.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - F:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [nTrayFw] F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] F:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [Lachesis] F:\Program Files\Razer\Lachesis\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ApnUpdater] "F:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "F:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "F:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "F:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "F:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "F:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] F:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] F:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [MSC] "f:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] F:\Documents and Settings\dab\Desktop\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ABIT uGuruIII] F:\Program Files\U-ABIT\abitEQ\abiteq.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DWQueuedReporting] "f:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "f:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "f:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://F:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - F:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - F:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1293275636015
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - F:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - F:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - F:\WINDOWS\System32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - F:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup Service (afcdpsrv) - Acronis - F:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - F:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Dyyno Service (Dyyno Launcher) - Unknown owner - F:\Program Files\Dyyno\Dyyno Broadcaster\launcherd.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - F:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - F:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccess - Unknown owner - F:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Acronis Sync Agent Service (syncagentsrv) - Acronis - F:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - F:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 12106 bytes

BC AdBot (Login to Remove)

 


#2 blowefamily

blowefamily
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 26 December 2011 - 07:00 PM

Also , If i try to turn on th ewindows firewall , windows will complain that it cannot turmn firewall onn andf i shoul dgo to control panel amnd do it ...but when I do try to turn on firewall at control panel then windows complains internet connection service must be started but it can't .

#3 blowefamily

blowefamily
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 26 December 2011 - 07:08 PM

This will sound silly but I don't know how i will see a reply.

I guess i just site here and wait .

I can see a status of 4 reading my post .

Just booted into pure safe mode to try and get mbam to run .I gu

I guess the virus/virus maker is afraid of mbam .

#4 blowefamily

blowefamily
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 26 December 2011 - 08:02 PM

Note that tdds killer DID quarentine two files on 25dec11 when I first tried to stop the antivirus2012 .

#5 blowefamily

blowefamily
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 26 December 2011 - 08:08 PM

Running rkill several times then runnimng mbam.exe as admimnistrator does have it show up as running in task manager but I never see the program .

#6 blowefamily

blowefamily
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 28 December 2011 - 03:16 PM

Also finally relized I cannot turn on windows firewall nor nvidia firewall, cannot complete a restore of anykind with system restore ...says it is doing it but at final point says it could not be done , cannot connect to inet , cannot start ics , , cannot ever get mbam to show up after the first click and hourglass . one program only had id's ZERO ACCESS as the problem but when I run the uts to remove they say it isn't there , I run rkill and it hasn't changed anything whether running safe mode or safe with networking , sometimes in task manager I see something callwmimproviz and wonder if it is not good as it disappaers after running rkill, initially saw ping.exe and system would reboot itself with 60 second count down and the antivirus2012 are all gone it seems but I am still stuck with "zero access" running from a linux box ....

#7 blowefamily

blowefamily
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 28 December 2011 - 03:43 PM

When system restore runs it looks good and even shows progress bar and seems to complete then reboots and comes back with big red x and restoration incomplete .

#8 blowefamily

blowefamily
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 28 December 2011 - 04:03 PM

Notye that my pc works perfectly and to prove it to myself I just loaded a Live dist of open suse and I am on the inert with firefox aok .So my pc/cables/rounter/cable modem and cable broadband are all ok to both my linux box and this winxpp pro box now running linux live distro .TAKE THAT ZERO ACCESS! Now I will continue with trying to get windows to behave.

#9 blowefamily

blowefamily
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 29 December 2011 - 12:16 PM

I have my usb drive loaded for bear ( although the cd drive works ok ) and tried to lainch hijackplus installl and a window popped up saying that the administrator had set policies to prevent this installation .

#10 blowefamily

blowefamily
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 31 December 2011 - 02:57 PM

Just noticed again a task called wmimprvse.exe amnd it was killed by rkill and called out by rkill but then while watching tasks in task maager I saw it appear and then after a couple minutes it disappeared ...good/bad/ugly I weonder ?

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:17 PM

Posted 01 January 2012 - 03:02 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 blowefamily

blowefamily
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 02 January 2012 - 12:57 PM

I just saw your reply .
I was able to turnon the firewall and I am not sure why all of tghe sudden but I had tried to run DDS on my own and it would always hang even though I would wait 30 minutes for it to come back .
Had run rkill a bunch of times .
Roughkiller was run again last night and it still id'd zeroaccess as being there some place and locked in windir\NtUpdateKBxxxx whicj I have yet to find .
This morning I had finnaly decided to turn off system, restore as it could not complete a restaore .
I noticed in a log from last night ( finally ) that roughkiller is not reporting ZEROACCESS SINCE 224151 LAST NIGHT 1JAN12 .
GMER ran for the first time today a couple of hours ago .
MBAM still tries to install but th eprogram never can start once installed son that is still very supicious .
RKUNHOOCKER insttalls ansd can run which it couldn't before .
Still no inet connection .
GMER does point out someyhing called \systemroot\system32\drivers\BlackBox.SYS under rootkit/malware.
I was about to say screw it and load service pack 3 even though I have it as it is supposed to load 1/2/3 sp's and could wipe out sorttof brute force the zero access ...if thaty is my only problem .
The comopter hardware itself is all aokk and i can load a live linux disk and go out to th einiternate no sweat ...but want to beat this win xp pro virus as winxppro is so easy to use without dartn rpm this and that ( which is why scrip[t kiddies don't mess with linux I suppose) .\
I will stop what I was about too do and doneload the items you recommend to my usb drive and send what you ask for asap .

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:17 PM

Posted 02 January 2012 - 01:39 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:17 PM

Posted 04 January 2012 - 11:26 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 blowefamily

blowefamily
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 05 January 2012 - 09:12 AM

Gringo ,

Yes , still need help .

Sorry got sick and couldn't see straight a couple of days .

Will have this back to you tonight .

Thx.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users